By Paul Ziobro and Joann S. Lublin
A prominent proxy adviser urged the ouster of most Target Corp.
board members for failing to manage risks and protect the company
from a massive data breach at the end of last year, a warning to
corporate boardrooms to take cybersecurity more seriously.
Institutional Shareholder Services, which advises big
shareholders how to vote on corporate ballots, called on Target
shareholders to oust seven of the company's 10 directors for not
doing enough to ensure Target's systems were fortified against
security threats.
The recommendation focused on directors who serve on Target's
audit and corporate-responsibility committees, which are tasked
with overseeing and managing risk. "It appears that failure of the
committees to ensure appropriate management of these risks set the
stage for the data breach, which has resulted in significant losses
to the company and its shareholders," ISS wrote.
The report puts corporate board members on notice to treat the
risks associated with cyberattacks more seriously, particularly
directors at retailers which store vast amounts of data like credit
card numbers and personal information that cybercriminals seek.
Other retailers like Michaels Stores Inc. and Neiman Marcus Group
have fallen victim to cyberattacks where credit-card information
was compromised.
The ISS move is "raising a red flag about risk oversight that is
a growing issue for boards," said Eleanor Bloxham, a corporate
governance consultant in Columbus, Ohio.
Many corporate directors have begun paying greater attention to
overseeing risk--such as through the appointment of a chief audit
executive who reports directly to the full board, an arrangement
that allows the board to get unfiltered information.
Kenneth Daly, president of the National Association of Corporate
Directors, estimates that several hundred U.S. companies now employ
a chief audit executive who reports directly to the board. "Five
years ago, it was uncommon," Mr. Daly said.
In response to ISS's criticism Wednesday, Target's board said
overseeing risk is the responsibility of the entire board and is
part of its continuing review of the company's strategy. It said
that Target's security measures were "among the best-in-class
within the retail industry," adding that it had made significant
investments in data security and that its payment systems had been
compliant with industry guidelines.
Hackers worked their way into Target's payment network in
mid-November, using the credentials of a third-party refrigeration
contractor to access the retailers system. The malware worked for
roughly three weeks, scooping up valuable data compromising 40
million credit- and debit-card numbers eventually sold on the black
market.
Another proxy advisory firm, Glass, Lewis & Co., took a
different stance, saying there wasn't yet enough evidence that the
data breach was due to any neglect by Target's board or
executives.
ISS, which rarely recommends voting against a majority of the
board, added that actions Target took in response to the breach,
like replacing the chief information officer and beefing up its
security protocols, appear "largely reactionary" and could have
prevented the data breach had the company implemented them
sooner.
ISS called for voting against Target's two longest-serving
directors: former Xerox Corp. Chief Executive Anne Mulcahy and the
one-time head of Fannie Mae and lead independent director James
Johnson. Roxanne Austin, the interim chairman, is another director
ISS targeted for defeat.
The firm recommends voting for Kenneth Salazar, the former U.S.
senator who leads the corporate responsibility committee and joined
the board last July, as well as two members who didn't serve on the
audit or oversight committees.
The shareholder votes will be counted at Target's annual
meeting, scheduled for June 11.
Write to Paul Ziobro at Paul.Ziobro@wsj.com and Joann S. Lublin
at joann.lublin@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires